How SPF, DKIM and DMARC can help detect and prevent Phishing, Spear Phishing and Spoofing
Could your business survive without email? Probably not. Email is important. Today, email is the most commonly used method of communication around the world. Connecting families, connecting governments, connecting clients with small businesses and large enterprises alike. While it’s fast and efficient, it’s also widely used for malicious purposes via impersonation and fraud.
Did you know that only 55% of the email sent globally is legitimate? Roughly 14.5 billion spam emails are sent EVERY. SINGLE. DAY. In 2016 alone, at least 76% of companies fell victim to phishing, and attempts have grown more than 65% in the last year.
According to the Verizon Data Breach Investigations Report, 30% of phishing emails are opened by the targeted user and at least 12% of those users click on the malicious link or attachment.
Additionally, 95% (yes NINETY-FIVE PERCENT) of attacks on enterprise networks are the result of the successful phishing of a user. We (humans) are definitely the weakest link in the security chain.
To make matters worse, Deloitte states that one-third of consumers said they would no longer work with a business following a security breach, even if they did not suffer a material loss. 60% of your customers will think about leaving, and 30% actually do.
So what are some of the ways that we can better protect our organizations? Implement SPF, DKIM and DMARC.
Sender Policy Framework (SPF)
SPF is an email authentication method designed to detect forged sender addresses during the delivery of an email.
And while SPF alone is somewhat limited, in combination with DMARC it can be used to detect forging of the visible sender in emails (spoofing), a technique often used in phishing and email spam.
SPF allows the receiving mail server to check during mail delivery that a mail claiming to come from a specific domain is submitted by an IP address authorized by that domain’s administrators, as published in the DNS records for that domain.
DomainKeys Identified Email (DKIM)
DKIM is an email authentication method designed to detect forged sender addresses in emails (spoofing).
DKIM allows the receiver to check that an email claiming to have come from a specific domain was indeed authorized by the owner of that domain. It achieves this by adding a digital signature linked to a domain name to each outgoing email message. The recipient system can verify this by looking up the sender’s public key published in the DNS records for that domain. A valid signature also guarantees that some parts of the email have not been modified since the signature was added.
DKIM is now an internet standard and deploying SPF and DKIM are best practice.
Domain-Based Message Authentication, Reporting and Conformance (DMARC)
DMARC is also an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use. The purpose of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing emails, email scams and other malicious activities.
Once the DMARC DNS entry is published for the domain, any receiving email server can authenticate the incoming email based on the instructions published by the domain owner within the DNS entry. If the email passes the authentication it will be delivered and can be trusted. If the email fails the check, depending on the instructions held within the DMARC record, the email could be delivered, quarantined or rejected.
DMARC extends the two existing mechanisms noted above, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It allows the administrative owner of a domain to publish a policy in their DNS records to specify which mechanism (DKIM, SPF or both) is employed when sending email from that domain; how to check the From: field presented to end users; how the receiver should deal with failures – and a reporting mechanism for actions performed under those policies.
While DMARC doesn’t directly address whether or not an email is spam or otherwise fraudulent, it can require that a message not only pass DKIM or SPF validation, but that it also pass alignment. Under DMARC a message can fail even if it passes SPF or DKIM, but fails alignment.
Setting up DMARC may also have a positive impact on deliverability for legitimate senders (your outgoing messages are less likely to be identified as spam).
Final Thoughts
The implementation of SPF, DKIM and DMARC is considered best practice and works to prevent email spoofing while having the additional benefit of ensuring that outgoing mail is trusted – you protect yourself and help protect those you communicate with.
Additional Reading
- Phishing Statistics via Dashlane
- Data Breach Investigations Report via Verizon
- Enabling SPF, DKIM and DMARC in Office365 Exchange Online via Microsoft